Home    Forums    Feature Requests    Beta Issues    SysAid Resources    Documentation    Support
Hello Guest,  Login   
        
DOWNLOAD FREE EDITION
    
     Recent Topics    Hottest Topics    Online Members    Member Listing    Advanced Search
Major security hole - Domain Administrator Password  XML
Forum Index » SysAid Installation & Beyond
 
Author Message
[Post New]01/06/2010 06:22:29
    Subject: Re:Major security hole - Domain Administrator Password
[Up]
Joseph Zargari
VP Customer Relations


Meet me in Vegas - SysAid technology Conference - 28-30/4/2010
Joined: 26/03/2006
Messages: 516
Offline
Hey Lev,

Basically, we never looked at this as a security issue. Since SysAid usually runs on a server, the serverConf.xml file should not be accessible for domain users to see (limited by NTFS permissions).
The password showing on the configuration file was more of a cosmetic issue.

Jospeh.
[Post New]05/03/2013 20:34:17
    Subject: Re:Major security hole - Domain Administrator Password
[Up]
@@@
SysAider

SysAider from release 7.5 United States
Joined: 08/01/2013
Messages: 2
Offline
I hate to dig up an old ticket but the responses to peoples questions in this thread are inadequate.

We are being told to use a service account with read-only privileges, however for password services you ask that we use a domain administrator account. what is the correct answer? Domain admin or read-only user?
[Post New]07/03/2013 10:42:11
    Subject: Re:Major security hole - Domain Administrator Password
[Up]
Joseph Zargari
VP Customer Relations


Meet me in Vegas - SysAid technology Conference - 28-30/4/2010
Joined: 26/03/2006
Messages: 516
Offline
Hi @@@,
SysAid requires read-only permissions to import user data from AD and perform authentication. It requires a domain admin account if you are also implementing Password Services.

I hope this answers your question.
Joseph.
[Post New]14/05/2013 12:32:23
    Subject: Re:Major security hole - Domain Administrator Password
[Up]
Tarphon
SysAider

SysAider from release 5.5 United States
Joined: 20/06/2008
Messages: 16
Offline
So did you ever notify your customers or do they only find out when they stumble across this post? Storing any password in plaintext is poor security and if you didn’t think this was an issue or worth notifying your clients about then what other “non-issues” are lurking out there for us to find?

Unacceptable.
[Post New]18/05/2013 19:47:12
    Subject: Re:Major security hole - Domain Administrator Password
[Up]
Joseph Zargari
VP Customer Relations


Meet me in Vegas - SysAid technology Conference - 28-30/4/2010
Joined: 26/03/2006
Messages: 516
Offline
Hi Tarphon,

Since this post started, this was already corrected. SysAid doesn't store any password in plain text in the config files, definitely not the domain admin's one.

We take security very seriously when we come to plan, design and develop our products. We spend great deal of efforts and resources making SysAid more secure.
Surely, things can go wrong - but we are always ready to respond quickly when a security breach is found.

Thanks,
Joseph.
Forum Index » SysAid Installation & Beyond
Go to:   
Help Desk Software
Free Help Desk Software
Free Asset Management Software
SysAid Helpdesk Software
Web Based Help Desk Software
SysAid Help Desk Forum
General IT Discussion Forum
SysAid CSS Customer Service Software
Customer Support Software
    SysAid Technologies Ltd.
   Toll-Free phone center (U.S.): 1-800-686-7047
   Offices - U.S.617-231-0124
   Israel:+972-3-533-3675
   Email:helpdesk@sysaid.com
   Optimized by SEO Israel
   SysAid logos and other SysAid Technologies marks
   are trademarks or registered trademarks of
   SysAid Technologies Ltd.
   All Rights Reserved by SysAid Technologies Ltd.
   2002-2011 		   Live Support Hours
   07:00 AM - 09:30 PM (UK)
   03:00 AM - 05:30 PM (EDT)

   We provide worldwide services, and we do our best
   to match the working times of customers from
   different time zones.

   SysAid Help Desk Software and Asset Management Software
Privacy Policy © Terms Of Use